backdoor hardware crack found in motherboards made in China for use in US servers

Greetings, and welcome to the World Affairs Board!

The World Affairs Board is the premier forum for the discussion of the pressing geopolitical issues of our time. Topics include military and defense developments, international terrorism, insurgency & COIN doctrine, international security and policing, weapons proliferation, and military technological development.

Our membership includes many from military, defense, academic, and government backgrounds with expert knowledge on a wide range of topics. Registration is fast, simple and absolutely free so why not register a World Affairs Board account and join our community today?

backdoor hardware crack found in motherboards made in China for use in US servers

"The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources."

"Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company."

More than four years have passed since the CIA announced its watershed deal with Amazon Web Services to build out a private cloud for the intelligence community. According to CIA CIO John Edwards, "it's the best decision we've ever made."

"It's the most innovative thing we've ever done," Edwards said in a June 14 speech at AWS' Public Sector Summit. "It is having a material impact on both the CIA and the IC."

Dubbed Commercial Cloud Services (C2S), the 10-year, $600 million contract essentially put an entire AWS cloud region on CIA premises. "Both sides took a chance ... this had never been done before," Edwards said, and he pointed to a range of metrics to support his praise for the partnership.

For example, it used to take the CIA 180 days to provision a single server, he noted. Through virtualization, "we got that down to 60 days, and thought, 'we're doing pretty good,'" said. "Now through AWS and C2S, we're down to minutes. That's amazing."

Similarly, Edwards said, traditional IT acquisition often meant waiting nine months to be able to even test an application against actual data -- and if it didn't work as hoped, "then I'd start over." With the marketplace that's part of C2S, a developer can download an app in minutes and try it against the data set. If it "solves the mission," then "I can lease it as long as I want," he said. "If it doesn't, I blow up that instance, I download another application, and I try it again."

The agency is still working to build out that library of applications. There are roughly 100 applications in the marketplace, Edwards said, with "another 70 in the pipeline."

Thanks to such benefits, he said, "our adoption of cloud across the IC is growing 208 percent year over year. That's amazing." More than 4,000 developers across the community now work in the cloud environment, Edwards said, rather than at individually provisions workstations. And since C2S is not connected to the internet, he added, the scalability and nimbleness don't come with serious security tradeoffs.

"I'm never going to say that anything you do in the cyber world is totally invincible," he said, but "this is pretty close. ... this is probably the most secure thing out there."

The National Security Agency has moved most of the mission data it collects, analyzes and stores into a classified cloud computing environment known as the Intelligence Community GovCloud.

The IC GovCloud is a single integrated “big data fusion environment” that allows analysts to rapidly “connect the dots” across all NSA’s data sources, according to Chief Information Officer Greg Smithberger.

The impetus for the multi-year move is getting the NSA’s data, including signals intelligence and other foreign surveillance and intelligence information it ingests from multiple repositories around the globe into a single data lake analysts from the NSA and other IC agencies can run queries against.

“The NSA has been systematically moving almost all its mission into this big data fusion environment,” Smithberger told Nextgov in an interview. “Right now, almost all NSA’s mission is being done in [IC GovCloud], and the productivity gains and the speed at which our analysts are able to put together insights and work higher-level problems has been really amazing.”

Smithberger said the IC GovCloud environment accelerates the analytic work humans can do by employing machine learning and algorithms. Data ingested by NSA has been meta-tagged with bits of information, including where it came from and who is authorized to see it, which ensures analysts only immerse themselves in intelligence they’re cleared to see.

“This environment allows us to run analytic tools and do machine-assisted data fusion and big data analytics, and apply a lot of automation to facilitate and accelerate what humans would like to do, and get the machines to do it for them,” Smithberger said. Analysts, he said, can “interactively ask questions” of the data in the cloud environment, and it spits out data in “humanly readable form.”

The backbone of the system is the same commercial hardware you might see in data centers owned by Facebook, Amazon or other industry titans. But that hardware is blended with NSA-developed custom software, exotic processing, high performance computing and other unique NSA intellectual property.

“It’s really a hybrid of the latest and greatest commercial technology, but a lot of custom NSA technology and a lot of unique development we’ve done to actually create these outcomes,” Smithberger said.

While the IC GovCloud is NSA’s creation–and centrally funded by the NSA–its basic services are available to the 16 other agencies that comprise the IC, including the Central Intelligence Agency and National Geospatial-Intelligence Agency.

IC GovCloud is one of two major cloud initiatives across the IC. Four years ago, the CIA awarded a $600 million contract to Amazon Web Services to develop a commercial cloud environment for the IC agencies. Today, the Amazon-developed C2S provides utility computing services to the IC.

The Federal Bureau of Investigation is requesting feedback on its options for adopting a new secure, large-scale cloud computing service.

FBI posted request for information Feb. 16 to solicit industry input on acquiring a cloud computing system in line with the government's "cloud-first" policy across government. In it, the bureau states it is looking to acquire platform-as-a-service and software-as-a-service offerings "from an established cloud service provider with an existing, large-scale commercial offering" with the capability of providing services for multiple government agencies.

The move comes as the bureau's $30 billion Information Technology Supplies and Support Services contact vehicle is set to expire this October. The contract was awarded in October 2010, and covered one year plus seven option years.

Last November, the FBI posted a notice to industry about the pending expiration of IT-SSS, indicating that internal deliberations were ongoing about a possible recompete.

The FBI is a member of the intelligence community, and the bureau wants any commercial cloud service it adopts to meet IC requirements for handling classified data, as well as supporting big data management and processing and cognitive computing.

The bureau is also looking for services that provide middleware, such as identity and security management, log analysis and audit capabilities.

At a minimum, the RFI states, vendors should maintain at least two commercial multi-tenant data centers that have reserved, firewalled space for governmental use, within the U.S. border and 1,000 miles apart, to support roughly 50,000 users.

The FBI also wants to know about potential providers' status in the Federal Risk and Authorization Management Program, as well as any Department of Defense Information Assurance and Federal Information System Controls Audit Manual accreditations. Respondents are asked to explain whether the bureau will retain responsibility for system authorization and network connectivity, whether government can audit all hosting infrastructure changes, if the provider can provide and install infrastructure needed to build and operate the secret cloud environment, and whether the bureau can use its own cryptography.

The FBI also wants review and approval authority over the vendor's force-protection firm for physical security personnel.

As for service requirements, interested providers should be able to support multiple operating systems, host and manage third-party applications and provide business solutions in addition to tech infrastructure solutions.

The bureau also is trying to get a sense of how companies establish pricing models or fee structures for similar-in-scope storage, network and application-hosting services.